Both of these refer to a data sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust, and which gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this instance.

I would be very grateful for the following information relating to this agreement.

• Please could you provide me with a copy of this data-sharing agreement between the Royal Free NHS Trust and DeepMind (I assume suitably redacted to remove commercially sensitive items such as £). I am particularly interested in the information governance arrangements detailed within that document

• Please could you provide me with all communication that the Royal Free NHS Trust has had with the Information Commissioner's Office (ICO) regarding this agreement, which may include, for example, advice about the legality of such an arrangement, requirements for fair processing information, and the rights and processes by which patients of those hospital can object to the processing of their personal confidential data by DeepMind, for both primary and secondary purposes

• Please could you kindly provide me with the fair processing information that you make available to patients, attending all those hospitals, regarding this new use of their personal confidential data (for example, poster, handouts, leaflets)

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can *completely* object to the passing of their personal confidential data to DeepMind for processing, for *both* primary and secondary uses. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing the trusts' electronic hospital record for their direct medical care

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can object to the passing of their personal confidential data to DeepMind for processing for secondary uses *only* (that is, for purposes other than their direct medical care), including the pseudonymisation of personal confidential data for that reason. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

The articles state that DeepMind will have access to the NHS' centralised record of all hospital treatments in the UK, dubbed the Secondary User Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient identifiable data (NHS number or name/address, local patient identifier (hospital number), DOB, postcode) from any SUS submission (CDS file) and render it anonymised and not pseudonymised. Guidance on such a process is available from the HSCIC :
http://www.hscic.gov.uk/media/9719/Schem...

• Please can you provide me with the opt-out form that patients of the Royal Free NHS Trust can use to request such anonymisation of their SUS data submissions

Patients might not be aware of the processing of their data by DeepMind in this way. When they do find out, and if there are unhappy about such an arrangement, they might wish to ensure that any such data about them that has been uploaded or passed to DeepMind is deleted completely.

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can request that any personal confidential data about them uploaded or passed to DeepMind is completely deleted, and that no further information is passed to DeepMind for either primary or secondary purposes. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

As per Section 1(4) of the FOI Act
( http://www.legislation.gov.uk/ukpga/2000... ) I would like the information in question held at the time when my request is received (draft or otherwise), except that account may be taken of any amendment or deletion made between now and the latest time by which the information is to be communicated to me, being an amendment or deletion that would have been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request, which I make to be the 1st June.

If my request is denied in whole or in part, or specific items within the responses are withheld from disclosure, then you must justify all deletions by reference to specific exemptions of the act, as per Section 17 of the Act
( http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and the refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO ("It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that I have requested, in accordance with the Act.

Instead, please could you also provide me with any privacy impact assessment that you have performed regarding this project.
Please take this request for the PIA as an addendum to my original request, rather than a new/separate FOI request.

Instead, please could you also provide me with any privacy impact assessment that you have performed regarding this project.
Please take this request for the PIA as an addendum to my original request, rather than a new/separate FOI request.

Both of these refer to a data sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust, and which gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this instance.

I would be very grateful for the following information relating to this agreement.

• Please could you provide me with a copy of this data-sharing agreement between the Royal Free NHS Trust and DeepMind (I assume suitably redacted to remove commercially sensitive items such as £). I am particularly interested in the information governance arrangements detailed within that document

• Please could you provide me with all communication that the Royal Free NHS Trust has had with the Information Commissioner's Office (ICO) regarding this agreement, which may include, for example, advice about the legality of such an arrangement, requirements for fair processing information, and the rights and processes by which patients of those hospital can object to the processing of their personal confidential data by DeepMind, for both primary and secondary purposes

• Please could you kindly provide me with the fair processing information that you make available to patients, attending all those hospitals, regarding this new use of their personal confidential data (for example, poster, handouts, leaflets)

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can *completely* object to the passing of their personal confidential data to DeepMind for processing, for *both* primary and secondary uses. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing the trusts' electronic hospital record for their direct medical care

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can object to the passing of their personal confidential data to DeepMind for processing for secondary uses *only* (that is, for purposes other than their direct medical care), including the pseudonymisation of personal confidential data for that reason. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

The articles state that DeepMind will have access to the NHS' centralised record of all hospital treatments in the UK, dubbed the Secondary User Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient identifiable data (NHS number or name/address, local patient identifier (hospital number), DOB, postcode) from any SUS submission (CDS file) and render it anonymised and not pseudonymised. Guidance on such a process is available from the HSCIC :
http://www.hscic.gov.uk/media/9719/Schem...

• Please can you provide me with the opt-out form that patients of the Royal Free NHS Trust can use to request such anonymisation of their SUS data submissions

Patients might not be aware of the processing of their data by DeepMind in this way. When they do find out, and if there are unhappy about such an arrangement, they might wish to ensure that any such data about them that has been uploaded or passed to DeepMind is deleted completely.

• Please could you provide me with the process (including any requisite forms that must be completed) by which patients can request that any personal confidential data about them uploaded or passed to DeepMind is completely deleted, and that no further information is passed to DeepMind for either primary or secondary purposes. Such an objection would, of course, not prohibit medical staff within the hospitals from accessing their electronic hospital record for their direct medical care

As per Section 1(4) of the FOI Act
( http://www.legislation.gov.uk/ukpga/2000... ) I would like the information in question held at the time when my request is received (draft or otherwise), except that account may be taken of any amendment or deletion made between now and the latest time by which the information is to be communicated to me, being an amendment or deletion that would have been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested information promptly and in any event not later than the twentieth working day following the date of receipt of my request, which I make to be the 1st June.

If my request is denied in whole or in part, or specific items within the responses are withheld from disclosure, then you must justify all deletions by reference to specific exemptions of the act, as per Section 17 of the Act ( http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are obliged to consider the public interest in your decision and the refusal notice must explain not only which exemption applies and why, but also the public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this request as recommended by the ICO ("It would be good practice to acknowledge receipt of requests and to refer to the 20 working day time limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that I have requested, in accordance with the Act.

Yours sincerely,

Dr Neil Bhatia

-------------------------------------------------------------------

Please use this email address for all replies to this request:
[FOI #331981 email]

Is [Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information requests to Royal Free London NHS Foundation Trust? If so, please contact us using this form:
https://www.whatdotheyknow.com/change_re...

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be accessed anywhere

1 Attachment

Further to your request for information please see the response below in
red type. You may also find the information we have published on our
website of interest – it is available at
[1]https://www.royalfree.nhs.uk/news-media/...

Your appeal rights

We hope that you will be satisfied with our response to your request, if
not you may ask us to review our decision in which case you should write
to Ms Emma Kearney, director of corporate affairs and communications,
Royal Free London NHS Foundation Trust, Pond Street, London NW3 2QG,
explaining what you would like us to review and including your reference
number. If you are not satisfied with the internal review, you can appeal
to the Information Commissioner. The contact details are: Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF, telephone 01625 545 700 or see [2]www.ico.org.uk

Both of these refer to a data sharing agreement between Google-owned
artificial intelligence company DeepMind and the Royal Free NHS Trust, and
which gives DeepMind access to a wide range of healthcare data on the 1.6
million patients who pass through three London hospitals run by the Royal
Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as
well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this
instance.

I would be very grateful for the following information relating to this
agreement.

• Please could you provide me with a copy of this data-sharing agreement
between the Royal Free NHS Trust and DeepMind (I assume suitably redacted
to remove commercially sensitive items such as £). I am particularly
interested in the information governance arrangements detailed within that
document The information sharing agreement is enclosed. The precise
storage location has been redacted under section 43 (commercial
interests).

• Please could you provide me with all communication that the Royal Free
NHS Trust has had with the Information Commissioner's Office (ICO)
regarding this agreement, which may include, for example, advice about the
legality of such an arrangement, requirements for fair processing
information, and the rights and processes by which patients of those
hospital can object to the processing of their personal confidential data
by DeepMind, for both primary and secondary purposes – The trust is not
required to consult with the ICO in regard of any data sharing or data
processing agreements, however,

· The NHS Confidentiality Code of Practice [p15(38)] states that
when patients agree to be treated in hospital, they “understand that some
information about them must be shared in order to provide them with care
and treatment”. The hospital (as the data controller) determines what data
processing needs to take place to deliver care. This process also covers
the multitude of other clinical systems in every NHS hospital that provide
essential electronic records, document management and pathology services.
It is implausible to consider that hospitals could function if they had to
seek informed consent for every clinical system they use.

· The Fair Processing Notice issued by the Trust explains that
patient identifiable data will only be shared with third parties when it
is to be processed for direct patient care purposes. Patients have the
ability to opt-out of third-party data sharing by informing the trust’s
information governance lead they want to opt out.

• Please could you kindly provide me with the fair processing information
that you make available to patients, attending all those hospitals,
regarding this new use of their personal confidential data (for example,
poster, handouts, leaflets) – The trust has information on the public
website at
[6]http://s3-eu-west-1.amazonaws.com/files....

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can *completely* object to
the passing of their personal confidential data to DeepMind for
processing, for *both* primary and secondary uses. Such an objection
would, of course, not prohibit medical staff within the hospitals from
accessing the trusts' electronic hospital record for their direct medical
care – The trust’s process is for the patient to contact the data
protection officer, as advised on the website.

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can object to the passing
of their personal confidential data to DeepMind for processing for
secondary uses *only* (that is, for purposes other than their direct
medical care), including the pseudonymisation of personal confidential
data for that reason. Such an objection would, of course, not prohibit
medical staff within the hospitals from accessing their electronic
hospital record for their direct medical care - The trust’s process is
for the patient to contact the data protection officer, as advised on the
website.

The articles state that DeepMind will have access to the NHS' centralised
record of all hospital treatments in the UK, dubbed the Secondary User
Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient
identifiable data (NHS number or name/address, local patient identifier
(hospital number), DOB, postcode) from any SUS submission (CDS file) and
render it anonymised and not pseudonymised. Guidance on such a process is
available from the HSCIC :

• Please can you provide me with the opt-out form that patients of the
Royal Free NHS Trust can use to request such anonymisation of their SUS
data submissions The trust’s process is for the patient to contact the
data protection officer, as advised on the website.

Patients might not be aware of the processing of their data by DeepMind in
this way. When they do find out, and if there are unhappy about such an
arrangement, they might wish to ensure that any such data about them that
has been uploaded or passed to DeepMind is deleted completely. The
trust’s process is for the patient to contact the data protection
officer, as advised on the website.

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can request that any
personal confidential data about them uploaded or passed to DeepMind is
completely deleted, and that no further information is passed to DeepMind
for either primary or secondary purposes. Such an objection would, of
course, not prohibit medical staff within the hospitals from accessing
their electronic hospital record for their direct medical care - The
trust’s process is for the patient to contact the data protection
officer, as advised on the website.

As per Section 1(4) of the FOI Act

( [9]http://www.legislation.gov.uk/ukpga/2000... ) I would like
the information in question held at the time when my request is received
(draft or otherwise), except that account may be taken of any amendment or
deletion made between now and the latest time by which the information is
to be communicated to me, being an amendment or deletion that would have
been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request, which I make to be the
1st June.

If my request is denied in whole or in part, or specific items within the
responses are withheld from disclosure, then you must justify all
deletions by reference to specific exemptions of the act, as per Section
17 of the Act ( [10]http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are
obliged to consider the public interest in your decision and the refusal
notice must explain not only which exemption applies and why, but also the
public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this
request as recommended by the ICO ("It would be good practice to
acknowledge receipt of requests and to refer to the 20 working day time
limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that
I have requested, in accordance with the Act.

Yours sincerely,

Dr Neil Bhatia

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[11][FOI #331981 email]

Is [12][Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information
requests to Royal Free London NHS Foundation Trust? If so, please contact
us using this form:

This message may contain confidential information. If you are not the
intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or
take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS
staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive
information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere

• care.data
• The Summary Care Record,
• The Hampshire Health Record
• The Berkshire Health Record (Connected Care)
• The Manchester Care Record
• The Stockport Health and Care Record
• The Salford Integrated Record
• The West Cheshire Care Record
• The North Staffs and Stoke-on-Trent Shared Record
• The Dorset Care Record
• Secondary uses of your information
• Local data streaming initiatives
• The HSCIC
• Google DeepMind & the Royal Free NHSFT

1 Attachment

I note that in a subsequent communication you advised that you no longer
wished to receive a copy of the information sharing agreement but
requested a copy of the privacy impact assessment. This is now enclosed
and apologies not to have enclosed this with our previous response.

Further to your request for information please see the response below in
red type. You may also find the information we have published on our
website of interest – it is available at
[1]https://www.royalfree.nhs.uk/news-media/...

Your appeal rights

We hope that you will be satisfied with our response to your request, if
not you may ask us to review our decision in which case you should write
to Ms Emma Kearney, director of corporate affairs and communications,
Royal Free London NHS Foundation Trust, Pond Street, London NW3 2QG,
explaining what you would like us to review and including your reference
number. If you are not satisfied with the internal review, you can appeal
to the Information Commissioner. The contact details are: Information
Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF, telephone 01625 545 700 or see [2]www.ico.org.uk

Both of these refer to a data sharing agreement between Google-owned
artificial intelligence company DeepMind and the Royal Free NHS Trust, and
which gives DeepMind access to a wide range of healthcare data on the 1.6
million patients who pass through three London hospitals run by the Royal
Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year, as
well as access to patient data from the last five years (via SUS).

The Royal Free Hospital will remain the official data controller in this
instance.

I would be very grateful for the following information relating to this
agreement.

• Please could you provide me with a copy of this data-sharing agreement
between the Royal Free NHS Trust and DeepMind (I assume suitably redacted
to remove commercially sensitive items such as £). I am particularly
interested in the information governance arrangements detailed within that
document The information sharing agreement is enclosed. The precise
storage location has been redacted under section 43 (commercial
interests).

• Please could you provide me with all communication that the Royal Free
NHS Trust has had with the Information Commissioner's Office (ICO)
regarding this agreement, which may include, for example, advice about the
legality of such an arrangement, requirements for fair processing
information, and the rights and processes by which patients of those
hospital can object to the processing of their personal confidential data
by DeepMind, for both primary and secondary purposes – The trust is not
required to consult with the ICO in regard of any data sharing or data
processing agreements, however,

· The NHS Confidentiality Code of Practice [p15(38)] states that
when patients agree to be treated in hospital, they “understand that some
information about them must be shared in order to provide them with care
and treatment”. The hospital (as the data controller) determines what data
processing needs to take place to deliver care. This process also covers
the multitude of other clinical systems in every NHS hospital that provide
essential electronic records, document management and pathology services.
It is implausible to consider that hospitals could function if they had to
seek informed consent for every clinical system they use.

· The Fair Processing Notice issued by the Trust explains that
patient identifiable data will only be shared with third parties when it
is to be processed for direct patient care purposes. Patients have the
ability to opt-out of third-party data sharing by informing the trust’s
information governance lead they want to opt out.

• Please could you kindly provide me with the fair processing information
that you make available to patients, attending all those hospitals,
regarding this new use of their personal confidential data (for example,
poster, handouts, leaflets) – The trust has information on the public
website at
[6]http://s3-eu-west-1.amazonaws.com/files....

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can *completely* object to
the passing of their personal confidential data to DeepMind for
processing, for *both* primary and secondary uses. Such an objection
would, of course, not prohibit medical staff within the hospitals from
accessing the trusts' electronic hospital record for their direct medical
care – The trust’s process is for the patient to contact the data
protection officer, as advised on the website.

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can object to the passing
of their personal confidential data to DeepMind for processing for
secondary uses *only* (that is, for purposes other than their direct
medical care), including the pseudonymisation of personal confidential
data for that reason. Such an objection would, of course, not prohibit
medical staff within the hospitals from accessing their electronic
hospital record for their direct medical care - The trust’s process is
for the patient to contact the data protection officer, as advised on the
website.

The articles state that DeepMind will have access to the NHS' centralised
record of all hospital treatments in the UK, dubbed the Secondary User
Service (SUS) database.

At a patient's request, hospital trusts are required to remove all patient
identifiable data (NHS number or name/address, local patient identifier
(hospital number), DOB, postcode) from any SUS submission (CDS file) and
render it anonymised and not pseudonymised. Guidance on such a process is
available from the HSCIC :

• Please can you provide me with the opt-out form that patients of the
Royal Free NHS Trust can use to request such anonymisation of their SUS
data submissions The trust’s process is for the patient to contact the
data protection officer, as advised on the website.

Patients might not be aware of the processing of their data by DeepMind in
this way. When they do find out, and if there are unhappy about such an
arrangement, they might wish to ensure that any such data about them that
has been uploaded or passed to DeepMind is deleted completely. The
trust’s process is for the patient to contact the data protection
officer, as advised on the website.

• Please could you provide me with the process (including any requisite
forms that must be completed) by which patients can request that any
personal confidential data about them uploaded or passed to DeepMind is
completely deleted, and that no further information is passed to DeepMind
for either primary or secondary purposes. Such an objection would, of
course, not prohibit medical staff within the hospitals from accessing
their electronic hospital record for their direct medical care - The
trust’s process is for the patient to contact the data protection
officer, as advised on the website.

As per Section 1(4) of the FOI Act

( [9]http://www.legislation.gov.uk/ukpga/2000... ) I would like
the information in question held at the time when my request is received
(draft or otherwise), except that account may be taken of any amendment or
deletion made between now and the latest time by which the information is
to be communicated to me, being an amendment or deletion that would have
been made regardless of the receipt of my request.

I would be grateful if you would be kind enough to send me the requested
information promptly and in any event not later than the twentieth working
day following the date of receipt of my request, which I make to be the
1st June.

If my request is denied in whole or in part, or specific items within the
responses are withheld from disclosure, then you must justify all
deletions by reference to specific exemptions of the act, as per Section
17 of the Act ( [10]http://www.legislation.gov.uk/ukpga/2000... ). Where you rely on a qualified exemption to withhold disclosure, you are
obliged to consider the public interest in your decision and the refusal
notice must explain not only which exemption applies and why, but also the
public interest arguments addressed in reaching the decision.

I would be grateful if you would kindly acknowledge receipt of this
request as recommended by the ICO ("It would be good practice to
acknowledge receipt of requests and to refer to the 20 working day time
limit, so that applicants know their request is being dealt with").

Thank you very much once again, and I look forward to the information that
I have requested, in accordance with the Act.

Yours sincerely,

Dr Neil Bhatia

-------------------------------------------------------------------

Please use this email address for all replies to this request:

[11][FOI #331981 email]

Is [12][Royal Free London NHS Foundation Trust request email] the wrong address for Freedom of Information
requests to Royal Free London NHS Foundation Trust? If so, please contact
us using this form:

This message may contain confidential information. If you are not the
intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or
take any action in reliance on its contents:
to do so is strictly prohibited and may be unlawful.

Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS
staff in England and Scotland
NHSmail is approved for exchanging patient data and other sensitive
information with NHSmail and GSi recipients
NHSmail provides an email address for your career in the NHS and can be
accessed anywhere